VUEM: security settings not being applied


Some security settings (such as hiding the Run menu or blocking access to system drives) are not being applied, and the Agent log throws errors such as these:

11:19:18 Exception -> VuemEnvironmentalSettingsController.ExecuteEntityPolicySettings() : Attempted to perform an unauthorized operation.

09:23:01 Exception -> VuemEnvironmentalSettingsController.ExecuteEntityPolicySettings() : Denied access to the registry.


Cause and Resolution

To apply security settings such as these, VUEM uses a local account called VuemLocalUser. If this user is not allowed to log on locally, VUEM will not be allowed to apply security settings. There are several reasons why this right may not be allowed:


1. Your local or network password policies may be blocking the VuemLocalUser account

By default, the account is created with an 8-character password that contains a mix of alphanumeric characters in upper and lower cases. If this does not meet your password policy, the VuemLocalUser account will not be able to modify the registry.

To resolve this, uninstall the Norskale Agent Host, then reinstall it with the VuemLocalUserPassword argument and specify the password you wish the account to use. Instructions for this (including full syntax) are on page 19 of the VUEM Installation Guide.


2. The VuemLocalUser account is explicitly denied the right to log on locally

Some domain policies strip this right from certain users for security reasons. To resolve this, grant the VuemLocalUser account explicit rights to log on locally, as detailed in this Technet article:

Please note, you will need to make sure that whatever policy stripped this right from the account in the first place is not still in effect.


3. The Process Environmental Settings option is not enabled

In order to minimise our impact on the host computer, the VUEM Agent service does not modify ACLs to grant vuemLocalUser access to use registry settings unless the Process Environmental Settings option is enabled under Policies and Profiles.


4. Your anti-virus is blocking access to the registry

To resolve this, completely exclude the Norskale installation directory from on-access scanning (this should be done by default in any case).



Article is closed for comments.
Powered by Zendesk